Tuesday, 29 July 2008

Help put the record straight

I have no idea who reads my blog, if anyone. But there are at least 250 who regularly tune in, and drop right back out again throughout the day and the globe. I hope beyond all reasonable hope that some of you are wise old CISOs with a keen interest in helping the wider community, or at least me.

You may remember this article where I pulled apart a recent vendor survey. Always satisfying, and no-one really has much sympathy for vendors, I should know, I've worked for them for years, and it really does take its toll. Anyway, I guess I got all my vitriol out... and got a reply from their marketing manager. I did this last year with another blogger, and spent several hours apologising and putting the record straight, so this time I just kind of whimpered and ran away.

However, this marketing manager, who I will call David, because that's his name, was very kind, very pleasant and quite persistent in getting my help. The result was that I said I'd help out if we could make the PCI survey a bit more focused, less vendor-y and more like something I could shove up on my blog.

Here it is - please read and fill in, it will help us sort out exactly what IS going on with PCI right now. And if it's statistically insignificant, we'll have another go.

Tuesday, 15 July 2008

Insane in the mainframe

I'm back in the UK. Jetlag plays funny games with my head for a few days, but I'm generally over the worst of it by now. Apparently it is a really hot day today, I wouldn't know, my car's been in the garage so I deliberately arranged all my boring admin jobs, which kept me inside. I re-wrote 2 documents for colleagues, did my expenses, drank copious amounts of tea and then, with a little 'spare' time I logged onto the mainframe in Dayton.

Now, not everyone has a mainframe at their disposal like I do, I appreciate that, but if you haven't touched one in a while, or even ever, and you consider yourself a techie, find one somehow, they are great (techie) fun. Maybe I should explain... PKWare, whom I am currently contracted to, have a fine mainframe SecureZIP product, which is extremely powerful and useful, but for some reason not widely known about yet. I think everyone is still pretty happy with PKZIP, despite the extra power and security this gives them.

I guess in the 80s when Phil Katz (the PK of PKWare) wrote ZIP, the internet was a smaller place, and everyone used BBS (which PK was also instrumental in developing). What a shame publicity costs money these days. My opinion of the product isn't so relevant in this context though, I've expressed my satisfaction with the PK solution already in these pages.

What I am currently enjoying is playing on a mainframe. There is nothing so satisfying as typing short commands into a green and black (sometimes red and white too) screen, all on command lines, and getting numerical return codes. I don't know why this gets me so much, perhaps it's in my blood. My father sold mainframes for IBM back in the 60s and 70s, my mother programmed on them. No wonder I'm a geek.

Did you know, there is even mainframe related humour? If you understand this joke, you are probably in your 50s or 60s, or have a manual somewhere which explains it...
"What's a SOC4?"
"Covering your foot."
It's so lame, it's good. And I know of at least 2 people (working for PKWare) who are chuckling at this right now. You know who you are.

Sunday, 6 July 2008

PCI the priest

When I said previously that I hate traveling, I need to re-phrase that. I hate flying. I hate flying to work specifically. I mitigated my travel this week by realising that there would be some great people at the end of my travels. I get to meet the PKWare techies tomorrow, and play on their mainframe, that's worth the hop. I can use the mainframe over VPN at anytime however, and I've spoken to them on the phone before. I guess what I'm saying is, I still find it hard to equate my paranoid fear of flying with the extreme sensual pleasure of meeting the IT department face to face. Still, I also get to spend time at head office, which is also fun, and I get to pick up another laptop with all sorts of groovy demos on it. So having entered the country with 2 laptops, I will be leaving with 3. The TSA is going to have a field day.

On top of all of this, I've just spent the afternoon with Alex Hutton. Now I feel like my journey was worth the palpitations and sweats on take-off and gut-wrenching lurches of landing. We spent the afternoon getting lost on the highway, talking risk, FAIR, UK and European markets, all that jazz. He made me look at some things in a totally new way, which is always a sign of a great conversation.
"If I went to a doctor and said I was feeling unwell, and he just gave me a bunch of things I needed to do to protect against that...", Alex started, "he'd be a witch doctor".
"Or a priest", I interjected.
"Or a priest", he concurred.
"Well, that's what PCI does."
The general consensus of the conversation being that we are still in very early stages of our understanding of security, and what is possible. It feels like we have reached a glass ceiling to me, and after our conversation this afternoon, I finally realise why that is. We're looking at it all the wrong way. The problem with security is that it is too much of an art, too much is left to opinion, and too many are looked up to for that opinion. Myself included.

Rather than PCI being the witch doctor, what about us, the bloggers. WE are the ones who are the witch doctors. I rather prefer PCI as priest, because it does not pretend to be the healer, rather a guide, and I think it is a good analogy for keeping both the critics and the advocates happy.

What we need in security is a bit more science. I enjoy security because, as everyone is very fond of saying recently, it is an interesting intellectual pursuit, like philosophy in many ways. Only it is also something which we can make money out of, by applying business ideas, or consulting, explaining our hand-wavy ideas to people less intellectual than ourselves.

What we don't have is an exact model, a method which says "here is where the problem was, here is where it is now, and here's where it's going to be. This is how much it will cost." PCI says "do this and you will be living a good clean life, the wages of data breach is fines" - the priest. Bloggers say "apply tree-root bark, AV, firewalls, DLP, etc, to the wound and it will solve all that ails you" - the witch doctor. Very much steeped in opinion and personal bias.

The model needs to be accurate. As Alex explained, it has many variables, few absolute metrics, and varies threats, data flow and system management. How that model comes about is anyone's guess, when it does, it will be incrementally improved, much like modern medicine. It will probably have it's critics, none more so than amongst the bloggers it seems to contradict, or the PCI advocates it initially seems to put straight. I see no reason for it not to co-exist with both however. As a blogger I am always willing to learn. PCI is not a fundamentalist, it is flexible, and will adapt if given the scope to. In this regard I am the Christian Scientist.

The model will be guided by experiment and empirical analysis rather than opinion. How many times have we all been proven wrong by new evidence? "80% of threats are external", "firewalls will secure your network", "<insert technology here> will be the next big thing". I think there will still be a place for the priest however, and hopefully not just during the last rites - deciding how big that fine should be.

You should listen to Alex. He's a very smart guy, and he's leading the field in finding the answers in this, along with his business partner, Jack. I understand what he's been getting at a little better for meeting him, picking his brains and getting to the bottom of where's he's coming from. If only I had another 4 hours to write it all down...

Saturday, 5 July 2008

Award up for grabs

Obviously Schneier's going to win this, he's older and wiser and more bearded than I. On top of that he's written about 20 books on security and has 4 billion people reading his blog. Personally I think he's over-rated. :)

I remain fully seated in controversy of course, winning friends and influencing people wherever I lay my hat. Tonight my hat is in Chicago, I am exhausted, and I'm going to bed.

Goodnight America, god bless. Oh yeah, VOTE FOR ME!

Thursday, 3 July 2008

If you can't beat 'em, join 'em

I have to be careful what I say here, but this annoyed me. No, not because they are promoting firewalls, which suck, and will always suck, and should be shot, but because of this:
Firewalls are underrated, but only by an industry which is perpetually looking at selling you the next new thing.
Again, not because it's a lie, firewalls are not underrated, they couldn't be. No, because it's hypocritical crap. Sorry Matasano, you may have some of the finest security minds in the business, who could knock me into a cocked hat, but this is spin. If you don't like being part of an industry that is perpetually trying to sell the next new thing, don't build new things and try to sell them whilst pretending to be a research company.

You guys are supposed to be teaching people about security, not dragging it back into the 20th Century. No wonder "Firewall adoption is huge, and what most companies struggle with is with managing their rules and making sure they get the most out of their existing deployment” - when even the most stand-up, hands-on-hearts, honest to goodness pure security folks are trying to hawk them bloody firewall enablement software!

This is the most circular, hypocritical and ridiculous argument from a bunch of otherwise extremely clever and normally responsible people that I've read in a long time. And I've been reading PCI surveys.

Survey warning

My dear chum Walt has something to say on PCI surveys today. He puts his questions in a very understated way, such is his low-key manner. I can reveal that it was I that was the straw which broke the camel's back however. You might recall my recent whingeing about a NetIQ survey which said that PCI in Europe wasn't being taken seriously, and they could prove it from a pretty small sample.

I was approached by their marketing manager afterwards, and whilst my back was up initially, I have to say he has won me over with his patience and more importantly, his desire to learn what would make it better. We are going to try and increase the sample size in the coming weeks with a new survey, more targeted and less commercially orientated. Hopefully this will have some real value, and maybe even more coverage in The Register again.

Walt has been very helpful in pointing me in the right direction about how to make this survey objective, but something he did say in a mail to me, he didn't put in his post. The gist was that now PCI awareness has been achieved, everyone wants to know what everybody else is doing. This is subtly different from "wanting to learn from each other", which is a very nice way of looking at it.

Maybe that's because it assumes too much and he knew I'd get what he was saying, but it kind of put things in a nutshell for me. What IS everyone else doing. It seems that the more we talk about PCI, the less we want anyone else to know what we've done. Are we afraid that our solutions aren't as good as next door's? Are we afraid they will try and copy our homework? Come on retailers and banks, let's have a bit of care in the community, share the knowledge!

Colour blind elephants

I'm off to Chicago again at the weekend, 2 days in Dayton, Ohio and 2 days in Milwaukee, then back on the red-eye next Friday. I wasn't really looking forward to this traveling much, in fact I'm still not, I hate flying and I usually think that most trips to the US could be pretty easily replaced by a Webex, but that's another story entirely. I was treating it as a chance to meet some new people and see a bit of some new places, until I remembered that last time I came out to San Francisco I'd polled all my security contacts in advance to see who'd be there. I met up with quite a few, but one who I'd always wanted to hook up with was all the way out in Columbus... Ohio. See where this is going?

I quickly rattled off a mail to Alex Hutton on Tuesday, and by close of play yesterday we had not only arranged to meet up, but he's picking me up from the airport and depositing me at my hotel. I think that just about sums up what I love about the Security Bloggers Network, security people in general, and particularly Alex. From the very moment I started waffling in these pages about data, PCI, certificates, encryption and the like, I have had a warm reception and made some great friends. Yes, yes, I realise you're waiting for the reference in the title, and no, as far as I know, Alex is neither colour blind, nor an elephant.

At the same time as I was writing my mail to Alex to say thank you for his hospitality, another email landed in my inbox. A spam mail, which I usually ignore as they refer to me reclaiming my manhood or enlarging it somehow. This one I could not, the sender name held my attention for far longer than necessary, and the title I had to explore more.

Mr. Rottenberg Bonson has sent me a mail about "proboscidean tritanopia". Two words so obscure even my spellcheck questions them (but then it questions 'spellcheck' too.) I had to look them up, but on closer inspection this does of course refer to a subject close to my heart:

pro·bos·cid·i·an (prō'bə-sĭd'ē-ən) also pro·bos·ci·de·an (prō-bŏs'ĭ-dē'ən)

A mammal of the order Proboscidea, such as the elephant or its extinct relatives, having a long trunk, large tusks, and a massive body.

tri·tan·o·pi·a (trī'tə-nō'pē-ə)

A visual defect characterized by the inability to discern blue and yellow.

Yes, my interest in colour blind elephants has emerged, my fame is spreading. Rottenberg and I would now be firm friends, except the body of the mail then complete ignored my interest in dichromatic pachyderms and instead waffled on about Viagra. Boo. Sorry Mr. Bonson, if indeed that IS your real name, I won't be following you up on that one.